Real-World Testing to Inform Your NGFW Buying Decision

We’re excited to share with you the latest NSS Labs NGFW test results. In the most rigorous independent NGFW testing to date, Cisco outperformed eight competitors in security effectiveness, blocking 100% of evasions and surpassing four vendors by over 50 points. You can download the reports to get the details. For the fourth year in a row, Cisco Firepower NGFW earned a “Recommended” rating from NSS Labs.

The NSS evaluation underscores three things you should consider when selecting a NGFW.

1. Blocking Evasions

The first is why blocking evasions matters. A 100% block rate for evasions means that you are protected against stealthy attacks that slip through other vendors’ NGFWs. NSS Labs described the implications of failing to detect an evasion best:

“…it allows an attacker to use an entire class of exploits for which the device is assumed to have protection. This renders the device virtually useless.”

All it takes is one successful evasion for attackers to infiltrate your network and have a huge advantage. Cisco was one of only two vendors, out of the ten evaluated, to prevent adversaries from using evasion techniques to disguise attacks at point of delivery.

Some vendors did poorly at blocking evasions—to the point that NSS Labs would not recommend their NGFWs. They could only block the evasions upon retesting – having fixed weaknesses from the first test.

Which vendors are best prepared? One that got it right the first time? Or one that required retesting to fix their weaknesses? Which would you like working for you? As we all know, in the real-world, there are no second chances when blocking threats. One evasion can pose serious risk to your business.

2. Consistency of Performance

The second consideration is consistency of performance. While it’s great to score well in any given test, strong performance year after year is what counts most, as shown in the graphic below of Cisco’s performance the past seven years. Note the dotted lines are test averages of all participating vendors.

Cisco delivers investment protection with consistently strong results in independent testing. Note: the majority of the products in the 2017 NGFW test failed to detect one or more evasions. The impact of missed evasions weighed heavily on the overall scoring for security effectiveness explaining the considerable drop in the test average.

When you select an NGFW that not only performs well on Day 1, but on Day 100 and Day 1000, it means you can confidently:

Keep pace with evolving threats. As security needs and threats evolve over time, you can count on Cisco Firepower NGFW to provide consistent protection and performance.

Make informedbuying decisions judged by historical performance, where you compare vendor track records over time.

3. Time to Detection

When threats slip through frontline defenses, time to detection of malware is a critical security metric. It is the window between the first observation of a file and detection of that file as a threat. We all know that adversaries can wreak more havoc the longer they remain undetected, so we must reduce their dwell time. The current, and candidly unacceptable, industry average for the time it takes to detect a breach is over 100 days.

In recent Breach Detection Systems testing, also performed by NSS Labs, Cisco products, including Firepower NGIPS and Advanced Malware Protection (AMP), detected 100 percent of the tested breaches within 24 hours. Plus, Cisco performed significantly better than its competitors – detecting the vast majority of breaches within minutes. This matters since it reduces adversaries’ dwell time – and the risk to your organization. We have been tracking our Time to Detection progress since late 2014. In less than two years, Cisco has dropped the median TTD from 50 to 15 hours to now about nine hours. We continue to make progress integrating Cisco’s security architecture – including AMP across our network, endpoint and cloud security products. We will update you again on our efforts to reduce Time to Detection through the Cisco 2017 Midyear Cybersecurity Report, to be published later this summer.

To sum up, today’s digital enterprises depend on effective security and Cisco delivers – AGAIN. The independent NSS Labs NGFW evaluation should give you great confidence that you have the best solution of its kind – whether you’re already a Cisco Firepower NGFW customer, or considering your next firewall. And beyond the firewall, only Cisco’s security architecture enables you to change the security equation in your favor, making your security posture more effective now and in the future.

Some of the individuals posting to this site, including the moderators, work for Cisco Systems. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release Cisco from any liability related to your use of the Website. You also grant to Cisco a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.